Re: [OT] Breaking WPA2 by forcing nonce reuse
On Thu, 19 Oct 2017 16:39:34 +0100
Brian <firstname.lastname@example.org> wrote:
> On Thu 19 Oct 2017 at 11:07:01 -0400, Celejar wrote:
> > On Thu, 19 Oct 2017 12:05:23 +0100
> > Brian <email@example.com> wrote:
> > > On Wed 18 Oct 2017 at 21:30:48 -0400, Celejar wrote:
> > ...
> > > > developers, etc., but why should I not be worried and upset about the
> > > > situation with my phone, printer, etc.?
> > >
> > > Depends on the level of your concern. There are USB and ethernet
> > > connections to the printer. This might require physical relocation
> > > of the printer but it could be worth it to be worry-free. Or use a
> > > Debian-based, wireless-enabled print server in close proximity to
> > > the printer.
> > Yes, what I'm probably going to do is use the printer's ethernet
> > connection along with a Powerline adapter into a nearby power outlet.
> That's a good idea, but thinking on: there two ends to the connection,
> the printer and the sending device. Fixing printers is unlikely to be
> high on vendors' lists of priorities, but a fix is available when the
> sending device uses Debian. Isn't it sufficient to fix one end of the
> connection to dispose of the vulnerability?
As I understand it, when I print something from some device (say, my
Debian laptop), the device establishes a TCP/IP connection with the
printer to do the printing. In my (typical) setup, at the link level,
the device connects to the AP / switch / router wirelessly (via WPA2),
and so does the printer. Assuming the device and router are both
patched, the link between the device and the router is secure, but the
link between the router and printer is not, so any data I send between
the device and the printer will be secure as it traverses the first
link, but not the second. As I understand things, patching the router
doesn't really help secure the link between it and vulnerable devices
like the printer. Henrique recently noted that there is a setting
available on new OpenWRT and LEDE builds that can help, but it's
apparently not yet included in any release yet: